OASIS ratifies security standard

A major standards body recently announced the ratification of a standard that could benefit companies that need to control user access to Web services or secured information over the Internet. The Extensible Access Control Markup Language (XACML) is an XML specification that can be used to describe authorization policies in an open, interoperable way.

But it’s unclear how great an impact XACML will have in the community of vendors supporting Web services, since the newly anointed standard from the Organization for the Advancement of Structured Information Standards (OASIS) is only one small piece of the Web services security puzzle, said Jason Bloomberg, an analyst at ZapThink LLC in Waltham, Mass.

Bloomberg said he wouldn’t be surprised to see XACML merge with another Web services standard, such as Web Services Policy (WS-Policy).

Kevin Cronin, chief enterprise architect for financial services at Boston-based Niteo Partners Inc., said he’s a bit worried about overlapping standards at this early stage, since no one wants to do work that might later have to be discarded if another standard becomes the accepted one.

Cronin added that he thinks the issue XACML addresses is “very real” and needs to be dealt with in order to ensure more efficient and more secure policy management, enforcement and auditing.

Sun Microsystems Inc. announced this week the release of an XACML implementation under an open-source licence. The company claimed that it will help developers build secure Web services and applications because they will no longer have to concern themselves with the patchwork of proprietary access-control policy languages.

But it’s unclear when or whether other vendors will build to the standard. Paul Patrick, chief security architect at BEA Systems Inc. in San Jose, Calif., said that even though BEA served on the standard’s technical committee, it currently has no plans to support XACML in products. Patrick said authorization providers are more likely candidates.

A spokesperson for Microsoft Corp. said the company has no plans to support XACML either. He added that Microsoft considers WS-Policy and WS-Security to be the more complete framework for addressing needs in this area.